3 Answers
3

How much do you know about the LAN in question? I'm assuming you don't know anything just plugged in the cable or connected to wifi.

Try requesting an IP address with DHCP. Do you get one? Then you already know a few things: the gateway IP, the DHCP server IP, the subnet mask and maybe DNS servers.

If you don't get one there is either no DHCP server or the network is MAC filtered.

Either way start capturing packets with wireshark. If you are on wireless or connected to a hub it's easy. If you are connected to a switch you can try MAC flooding to switch it back to "hub mode" but a smarter switch will just disable your port. If you want to try it anyway ettercap can do this for you. (Or macchanger and a shell script :) )

Looking at the packets you can find IP addresses but most importantly you can guess the network parameters. If you suspect MAC filtering change you MAC address to one of the observed ones after it leaves (sends nothing for a while).

When you have a good idea about the network configuration (netmask, gateway, etc) use nmap to scan. Nmap can do a lot more than -sP in case some hosts don't respond to ping check out the documentation. It's important that nmap only works if your network settings and routes are correct.

Some (most?) system administrators don't like a few of the above methods so make sure it is allowed (for example it's your network). Also note that your own firewall can prevent some of these methods (even getting an IP with DHCP) so check your rules first.

Nmap

Here is how to do basic host discovery with nmap. As I said your network configuration should be correct when you try this. Let's say you are 192.168.0.50 you are on a /24 subnet. Your MAC address is something that is allowed to connect, etc. I like to have wireshark running to see what I'm doing.

First I like to try the list scan, which only tries to resolve the PTR records in DNS for the specified IP addresses. It sends nothing to the hosts so there is no guarantee it is really connected or turned on but there is a good chance. This mode obviously needs a DNS server which is willing to talk to you.

nmap -vvv -sn -sL 192.168.1.0/16

This may find nothing or it may tell you that every single IP is up.

Then I usually go for ARP scan. It sends ARP requests (you see them as "Who has ? Tell " in wireshark). This is pretty reliable since noone filters or fakes ARP. The main disadvantage is that it only works on your subnet.

nmap -vvv -sn -PR 192.168.1.0/24

If you want to scan something behind routers or firewalls then use SYN and ACK scans. SYN starts a TCP connection and you either get an RST or a SYNACK in response. Either way the host is up. You might get ICMP communication prohibited or something like that if there is a firewall. Most of the time if a firewall filtered your packets you will get nothing. Some type of firewalls only filter the TCP SYN packets and let every other TCP packet through. This is why ACK scan is useful. You will get RST in response if the host is up. Since you don't know what firewall is in place try both.

nmap -vvv -sn -PS 10.1.2.0/24
nmap -vvv -sn -PA 10.1.2.0/24

Then of course you can use the ICMP-based scans with -PE -PP -PM.

An other interesting method is -PO with a non-existent protocol number. Often only TCP and UDP is considered on firewalls and noone tests what happens when you try some unknown protocol. You get an ICMP protocol unreachable if the host is up.

nmap -vvv -sn -PO160 10.1.2.0/24

You can also tell nmap to skip host discovery (-Pn) and do a portscan on every host. This is very slow but you might find other hosts that the host discovery missed for some reason.

This looks like an excellent answer, and now I'm going to have to ask you to spoon-feed me by including what commands to run for each task. I'm specifically interested in how to use Nmap to answer my question (don't make me read the docs :)
–
TshepangFeb 28 '11 at 18:57

4

@Tshepang: I added some nmap examples but I hope you consider reading the docs. Nmap is one of the greatest network tools and the documentation is well written it is really worth the time.
–
stribikaMar 1 '11 at 13:42

@Tshepang - I did nmap -sP 192.168.0.* and it returned a list of output of the form: Nmap scan report for justin-desktop2 (192.168.0.61)Host is up (0.00056s latency).
–
Justin EthierFeb 25 '11 at 12:43

@justin I'm using version 5.00 and it's now showing a number of machines on my network, with the form Host 192.168.2.23 is up (0.0088s latency)..
–
TshepangFeb 25 '11 at 12:53